Hi guys,
OpenSRS leaks customer passwords in plaintext !
I was there - these guys started a program which monitors
network traffic and used another computer to bring up the
reseller page. They clicked on the link for sending the
login information, typed in the other company's name and in
seconds the network monitoring program showed the reseller
password for that company !! They went in and were able to
see *ALL THEIR RECORDS*, *ALL THEIR CUSTOMERS AND CUSTOMER
RECORDS*!
I was really stumped when they showed me that *THEY CAN NOW
CHANGE THIS COMPANY'S CUSTOMER RECORDS - EVEN "UNLOCK" THEIR
DOMAINS* like for transfers away from them, etc !!!
I don't know how long this has been.
I asked how did they manage to decrypt that information,
and they said they didn't !! They said that OpenSRS just
doesn't care - they don't even use PGP, they just send
passwords in plaintext.
OpenSRS, I think you want to fix this faaaaaaaast !!!
Mark.
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:37:47 EDT